Facebook Phishing Scam Steals Millions of Credentials

By Stu Sjouwerman

Researchers at PIXM have uncovered a major Facebook Messenger phishing scam that’s “potentially impacted hundreds of millions of Facebook users.” More than eight million people have visited just one of these phishing pages so far this year.

“While viewing the Yearly Views page, we see 2.7 million users visited one of their pages in 2021, and around 8.5 million so far in 2022,” the researchers write. “This represents tremendous growth in the campaign from 2021 to 2022.”

The threat actors used compromised Facebook accounts to spread the phishing pages through Facebook Messenger.

“It appeared evident that these links originated from Facebook itself,” the researchers write. “That is, a user’s account would be compromised and, in a likely automated fashion, the threat actor would login to that account, and send out the link to the user’s friends via Facebook Messenger. Facebook’s internal threat intelligence team is privy to these credential harvesting schemes, however this group employs a technique to circumvent their URLS from being blocked. This technique involves the use of completely legitimate app deployment services to be the first link in the redirect chain once the user has clicked the link. After the user has clicked, they will be redirected to the actual phishing page. But, in terms of what lands on Facebook, it’s a link generated using a legitimate service that Facebook could not outright block without blocking legitimate apps and links as well.”

Notably, the campaign used automation to cycle through different phishing pages, which enabled it to avoid detection by security technologies.

“Once one of [the URLs] was found and blocked, it was trivial (and based on the speed we observed, likely automated) to spin up a new link using the same service, with a new unique ID,” the researchers write. “We would often observe several used in a day, per service…. The use of these services allows the threat actors’ links to remain undetected and unblocked by Facebook Messenger (and by domain reputation services) for long periods of time. This approach has yielded enormous success for the threat actor.”

PIXM has the story.